I think this is *network* not *local* right? A user can trigger this via the API. They have to be authenticated, so they can't just be some random person, but they can cause the system to give them access to *other* users' data. Doesn't that also mean the "scope" is "changed"? Meaning, my guess is that it should have this scoring:
Gorka, I haven't tested your patch myself, but you and I did discuss it earlier. Looking at it now, I'm wondering: how cinder can redirect or check with nova for a regular volume detach? If nova is the one doing the volume detach (via cinder) how does cinder know not to just redirect back to nova (creating a loop)? Is there some state cascade that we rely on to know that the detach has gone through nova at some point?
I think this is *network* not *local* right? A user can trigger this via the API. They have to be authenticated, so they can't just be some random person, but they can cause the system to give them access to *other* users' data. Doesn't that also mean the "scope" is "changed"? Meaning, my guess is that it should have this scoring:
https:/ /www.first. org/cvss/ calculator/ 3.1#CVSS: 3.1/AV: N/AC:L/ PR:L/UI: N/S:C/C: H/I:H/A: H
Gorka, I haven't tested your patch myself, but you and I did discuss it earlier. Looking at it now, I'm wondering: how cinder can redirect or check with nova for a regular volume detach? If nova is the one doing the volume detach (via cinder) how does cinder know not to just redirect back to nova (creating a loop)? Is there some state cascade that we rely on to know that the detach has gone through nova at some point?